If I can get you or someone on your team to run a script meaning I was phishing and someone on your email alias ran it to "help me debug my new script" then I can drop a tiny obfuscated shell script that will execute when you log in. No sudo, no root. Your machine will ssh out to a node I control using gateway ports. I then ssh into your node using a key I dropped plus an sshd running as you and then piggy-back on your multiplexed connection to your development or production data-center making use of a connection that you already authenticated to and already used MFA/2FA. In most cases there will be no logs to gather and the security team will see my connection as you. No hacking tools required, no detection from most security daemons.

It's only a risk if someone on your team runs the script and your local network allows outbound connections to the internet. None of this is theory though management teams will never want to see a demo much less let others in the company see it. A former coworker came up with the design. Shout out to The Godfather.